Amos, Months later (sorry...) - many thanks for your explanations. I used it when needed to correct incoherent parameters, and Squid is now fully functionnal on my network. Thanks again. DaNifty Amos Jeffries-2 wrote: > > On Tue, 21 Jul 2009 07:16:36 -0700 (PDT), danifty <danifty@xxxxxxxxx> > wrote: >> Hi all, >> >> I'm fairly new to squid, and i'm trying to configure it for filtering web >> access from multiple vlans, allowing such of them going to some >> destinations >> (and nowhere else), and others... going to others destinations, etc.. All >> other vlans are granted to go everywhere (I hope this is clever... I'm >> french... sorry! :-)) >> >> Here is how i think it can be done... but i doubt. Could you please tell > me >> if this is good, and if not, could you explain me what to do to have a >> correct filtering configuration. >> >> Thanks a lot! >> >> ################################################ >> ### SOURCES ### >> # [VLAN 1] >> acl src_vlan_1 src 192.168.1.0/24 >> >> # [VLAN 2] >> acl src_vlan_2 src 192.168.2.0/24 >> >> # [Tous VLANs] >> acl all src all > > Your idea here is slightly broken. > > "all" means all Internet. When defined like this, it means any source on > Internet. > > Best use: > # [Tous VLANs] > acl Tous_VLANs src 192.168.0.0/16 > > (NP: that covers all vlans inside 192.168.*.0/24. Add other ranges as > needed to the list) > >> >> ################################################ >> >> ### DESTINATIONS ### >> # [VLAN 1] >> acl dst_VLAN1_SITES dstdomain .google.fr .yahoo.com >> >> # [VLAN 2] >> acl dst_VLAN2_SITES dstdomain .voila.fr .altavista.com >> >> # [All destinations] >> acl ALL_INTERNET dst 0.0.0.0/32 > > Broken. This only permits if the _single_ ip == "0.0.0.0" is requested. > And requires a destination Ip lookup before anything can be done. > > Best use the "all" ACL defined above instead. > > # [All Internet] > acl all src all > >> >> ################################################ >> >> ### AUTORISATIONS ### >> >> # VLAN 1 >> http_access allow dst_VLAN1_SITES src_vlan_1 >> http_access deny src_vlan_1 ALL_INTERNET >> > > http_access allow dst_VLAN1_SITES src_vlan_1 > http_access deny src_vlan_1 > >> # VLAN 2 >> http_access allow dst_VLAN2_SITE_CLIENT src_vlan_2 >> http_access deny src_vlan_2 ALL_INTERNET > > http_access allow dst_VLAN2_SITE_CLIENT src_vlan_2 > http_access deny src_vlan_2 > >> >> http_access allow all ALL_INTERNET > > Means any source on Internet can go to any destination on Internet through > your proxy. > > Definitely NOT a good idea. > > Please use: > http_access allow Tous_VLANs > http-access deny all > > Amos > > > -- View this message in context: http://www.nabble.com/Are-these-acl---http_access-correct---tp24588523p25670649.html Sent from the Squid - Users mailing list archive at Nabble.com.
